What’s your secret question redux

July 22, 2009

That recent Twitter hack relied on, guess what, resetting a password using secret questions.  Read the details here.


Nevada mandates PCI-DSS

June 24, 2009

Nevada is the first state to pass legislation that requires companies doing business in the state processing credit cards to comply with the PCI-DSS.  Suprising they beat Cailfornia to the punch, but I suspect other states will follow suit in short order.  Read here.

MasterCard – On-site assessments extended to level 2 merchants

June 19, 2009

Looks like as far as self assessments are concerned MC thinks the fox hasn’t been guarding the hen house very well.  Starting in Dec 2010 level 2 merchants will have to undergo on-site security assessments ala level 1 merchants.  Even though this is a MC only requirement the effect will be felt by all level 2 merchants.  Read here.

Mid week challange

June 10, 2009

Here is a little challenge, maybe not so little, to get your security juices flowing again.  It’s some security 101 stuff, that low hanging fruit that can close the door on a possible breach.  When was the last time you bounced your user accounts (Active directory, ‘nix, remote access) up against an active employee listing?  Against a list of active contractors/temps?  Do you even have such lists?  My experience has been it either never has been done, has been a while, or the lists do not exist.  The 2009 Verizon Data Breach Report noted several instances of breaches that were a direct result of active user accounts being used by recently terminated employees.  This is simple stuff that gets overlooked but goes a long way in improving your security posture.

If you are not a script writer like me take a look at DumpSec from the SystemTools folks. It’s a great little free app that will dump your Active Directory accounts (sorry ‘nix folks but you are better script writers than the Windows crew, right?) into a file for import into your favorite spreadsheet/DB.  Add your employee/contractor/temp lists, shake and stir, and viola!

Overworked government workers flub..

June 3, 2009

It’s no big story that a government office has manged to release sensitive information again.   It’s the excuse in the second half of the article I find disturbing.  In a statement from a Government Printing Office (GPO) spokesman they suggest the error was due to the “sheer volume” of documents the GPO processes.  Read entire article here.

“On average, the GPO produces “approximately 160 House documents each Congress,” the statement said. During the 109th Congress, the GPO produced 157 reports, while in the 110th Congress, 161 reports were published, the statement said.”

That’s 160 WHOLE documents?  Am I missing something?  That works out to less than 1 document a day, assuming they are all processed during the session (if my math is correct .65 per day is the result of 157 docs /242 days).  I’ll email Mike over at Dirty Jobs to see if he is up for the challenge.

What’s your secret question?

May 19, 2009

Passwords are our front doors to all sorts of sensitive data & information.  So what’s your Mother’s maiden name?  Read here.

Schecter’s paper. (PDF link)

Schneier’s take back in ’05.

Two cost of breach studies

May 15, 2009

For your weekend reading, here are some studies from the Ponemon Institute on the costs of data breaches.

The Fourth Annual Cost of a Data Breach PDF link. A related report is Ponemon’s 2008 Annual Cost of a Data Breach Study. Get it here (free registration required).

The Cost of a Lost Laptop PDF link.